Merge 2.5.x changes to trunk.

rules/CHANGELOG

@@ -1,10 +1,106 @@
+--------------------------
+Version 2.0 - 07/29/2009
+--------------------------
+
+New Rules & Features:
+- Fine Grained Policy
+    The rules have been split to having one signature per rule instead of having
+    all signatures combined into one optimized regular expression.
+    This should allow you to modify/disable events based on specific patterns
+    instead of having to deal with the whole rule.
+- Converted Snort Rules
+    Emerging Threat web attack rules have been converted.
+    http://www.emergingthreats.net/
+- Anomaly Scoring Mode Option
+    The rules have been updated to include anomaly scoring variables which allow
+    you to evaluate the score at the end of phase:2 and phase:5 and decide on what 
+    logging and disruptive actions to take based on the score.
+- Correlated Events
+    There are rules in phase:5 that will provide some correlation between inbound
+    events and outbound events and will provide a result of successful atttack or
+    attempted attack.
+- Updated Severity Ratings
+    The severity ratings in the rules have been updated to the following:
+    - 0: Emergency - is generated from correlation where there is an inbound attack and
+         an outbound leakage.
+    - 1: Alert - is generated from correlation where there is an inbound attack and an
+         outbound application level error.
+    - 2: Critical - is the highest severity level possible without correlation.  It is
+         normally generated by the web attack rules (40 level files).
+    - 3: Error - is generated mostly from outbound leakabe rules (50 level files).
+    - 4: Warning - is generated by malicious client rules (35 level files).
+    - 5: Notice - is generated by the Protocol policy and anomaly files.
+    - 6: Info - is generated by the search engine clients (55 marketing file). 
+- Updated Comment SPAM Protections
+    Updated rules to include RBL lookups and client fingerprinting concepts from
+    Bad Behavior (www.bad-behavior.ioerror.us)
+- Creation of Global Collection
+    Automatically create a Global collection in the *10* config file.  Other rules
+    can then access it.
+- Use of Block Action
+    Updated the rules to use the "block" action.  This allows the Admin to globally
+    set the desired block action once with SecDefaultAction in the *10* config file 
+    rather than having to edit the disruptive actions in all of the rules or for 
+    the need to have multiple versions of the rules (blocking vs. non-blocking).
+- "Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name."
+   http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html 
+- "Possibly malicious iframe tag in output" (Rules 981001,981002)
+    Planting invisible iframes in a site can be used by attackers to point users
+    from the victim site to their malicious site. This is actually as if the
+    user was visiting the attacker's site himself, causing the user's browser to
+    process the content in the attacker's site.
+		 
+New Events:
+- Rule 960019 - Expect Header Not Allowed.
+- Rule 960020 - Pragma Header Requires Cache-Control Header
+- Rule 958290 - Invalid Character in Request - Browsers should not send the (#) character
+                as it is reserved for use as a fragment identifier within the html page.
+- Rule 958291 - Range: field exists and begins with 0.
+- Rule 958292 - Invalid Request Header Found.
+- Rule 958293 - Lowercase Via Request Header Found.
+- Rule 958294 - Common SPAM Proxies found in Via Request Header.
+- Rule 958295 - Multiple/Conflicting Connection Header Data Found.
+- Rule 958296 - Request Indicates a SPAM client accessed the Site.
+- Rule 958297 - Common SPAM/Email Harvester crawler.
+- Rule 958298 - Common SPAM/Email Harvester crawler
+
+Bug Fixes:
+- Rule 950107 - Split the rule into 2 separate rules to factor in the
+                Content-Type when inspecting the REQUEST_BODY variable.
+- Rule 960017 - Bug fix for when having port in the host header.
+- Rule 960014 - Bug fix to correlate the SERVER_NAME variable.
+- Rule 950801 - Increased the logic so that the rule will only run if the web site
+                uses UTF-8 Encoding.
+- Rules 999210,999211 - Bug fix to move ctl actions to last rule, add OPTIONS and
+                        allow the IPv6 loopback address
+- Rule 950117 - Updated the RFI logic to factor in both a trailing "?" in the ARG
+                and to identify offsite hosts by comparing the ARG URI to the Host 
+                header.  Due to this rule now being stronger, moved it from optional
+                tight security rule to *40* generic attacks file.
+
+Other Fixes:
+- Added more HTTP Protocol violations to *20* file.
+- Set the SecDefaultAction in the *10* config file to log/pass (This was the
+  default setting, however this sets it explicitly.
+- Added SecResponseBodyLimitAction ProcessPartial to the *10* config file.  This
+  was added so that when running the SecRuleEngine in DetectionOnly mode, it will
+  not deny response bodies that go over the size restrictions.
+- Changed SecServerSignature to "Apache/1.3.28"
+- Fixed the use of SkipAfter and SecMarkers to make it consistent.  Now have 
+  BEGIN and END SecMarkers for rule groups to more accurately allow moving to 
+  proper locations.
+- Fixed the @pm/@pmFromFile pre-qualifier logic to allow for operator inversion.
+  This removes the need for some SecAction/SkipAfter rules.
+- Updated rule formatting to easily show rule containers (SecMarkers, pre-qualifier
+  rules and chained rules).
+
 --------------------------
 Version 1.6.1 - 2008/04/22
 --------------------------
 
 - Fixed a bug where phases and transformations where not specified explicitly
     in rules. The issue affected a significant number of rules, and we strongly
-		recommend to upgrade.
+    recommend to upgrade.
 
 --------------------------
 Version 1.6.0 - 2008/02/19